arguments.go 8.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361
  1. package executor
  2. import (
  3. config "github.com/OliveTin/OliveTin/internal/config"
  4. sv "github.com/OliveTin/OliveTin/internal/stringvariables"
  5. log "github.com/sirupsen/logrus"
  6. "fmt"
  7. "net/mail"
  8. "net/url"
  9. "regexp"
  10. "strings"
  11. "time"
  12. )
  13. var (
  14. typecheckRegex = map[string]string{
  15. "very_dangerous_raw_string": "",
  16. "int": "^[\\d]+$",
  17. "unicode_identifier": "^[\\w\\/\\\\.\\_ \\d]+$",
  18. "ascii": "^[a-zA-Z0-9]+$",
  19. "ascii_identifier": "^[a-zA-Z0-9\\-\\.\\_]+$",
  20. "ascii_sentence": "^[a-zA-Z0-9 \\,\\.]+$",
  21. }
  22. )
  23. func parseCommandForReplacements(shellCommand string, values map[string]string) (string, error) {
  24. r := regexp.MustCompile("{{ *?([a-zA-Z0-9_]+?) *?}}")
  25. foundArgumentNames := r.FindAllStringSubmatch(shellCommand, -1)
  26. for _, match := range foundArgumentNames {
  27. argName := match[1]
  28. argValue, argProvided := values[argName]
  29. if !argProvided {
  30. return "", fmt.Errorf("required arg not provided: %v", argName)
  31. }
  32. shellCommand = strings.ReplaceAll(shellCommand, match[0], argValue)
  33. }
  34. return shellCommand, nil
  35. }
  36. func parseActionArguments(values map[string]string, action *config.Action, entityPrefix string) (string, error) {
  37. log.WithFields(log.Fields{
  38. "actionTitle": action.Title,
  39. "cmd": action.Shell,
  40. }).Infof("Action parse args - Before")
  41. for _, arg := range action.Arguments {
  42. argName := arg.Name
  43. argValue := values[argName]
  44. err := typecheckActionArgument(&arg, argValue, action)
  45. if err != nil {
  46. return "", err
  47. }
  48. log.WithFields(log.Fields{
  49. "name": argName,
  50. "value": argValue,
  51. }).Debugf("Arg assigned")
  52. }
  53. parsedShellCommand, err := parseCommandForReplacements(action.Shell, values)
  54. parsedShellCommand = sv.ReplaceEntityVars(entityPrefix, parsedShellCommand)
  55. redactedShellCommand := redactShellCommand(parsedShellCommand, action.Arguments, values)
  56. if err != nil {
  57. return "", err
  58. }
  59. log.WithFields(log.Fields{
  60. "actionTitle": action.Title,
  61. "cmd": redactedShellCommand,
  62. }).Infof("Action parse args - After")
  63. return parsedShellCommand, nil
  64. }
  65. //gocyclo:ignore
  66. func redactShellCommand(shellCommand string, arguments []config.ActionArgument, argumentValues map[string]string) string {
  67. for _, arg := range arguments {
  68. if arg.Type == "password" {
  69. argValue, exists := argumentValues[arg.Name]
  70. if !exists {
  71. log.Warnf("Redact shell command: Argument %s not found in values", arg.Name)
  72. continue
  73. }
  74. if argValue == "" {
  75. continue
  76. }
  77. shellCommand = strings.ReplaceAll(shellCommand, argValue, "<redacted>")
  78. }
  79. }
  80. return shellCommand
  81. }
  82. func typecheckActionArgument(arg *config.ActionArgument, value string, action *config.Action) error {
  83. if arg.Type == "confirmation" {
  84. return nil
  85. }
  86. if arg.Name == "" {
  87. return fmt.Errorf("argument name cannot be empty")
  88. }
  89. return typecheckActionArgumentFound(value, action, arg)
  90. }
  91. func typecheckActionArgumentFound(value string, action *config.Action, arg *config.ActionArgument) error {
  92. if value == "" {
  93. return typecheckNull(arg)
  94. }
  95. if len(arg.Choices) > 0 {
  96. return typecheckChoice(value, arg)
  97. }
  98. return TypeSafetyCheck(arg.Name, value, arg.Type)
  99. }
  100. // TypeSafetyCheck checks argument values match a specific type. The types are
  101. // defined in typecheckRegex, and, you guessed it, uses regex to check for allowed
  102. // characters.
  103. //
  104. //gocyclo:ignore
  105. func TypeSafetyCheck(name string, value string, argumentType string) error {
  106. switch argumentType {
  107. case "password":
  108. return nil
  109. case "raw_string_multiline":
  110. return nil
  111. case "email":
  112. return typeSafetyCheckEmail(value)
  113. case "url":
  114. return typeSafetyCheckUrl(value)
  115. case "datetime":
  116. return typeSafetyCheckDatetime(value)
  117. }
  118. return typeSafetyCheckRegex(name, value, argumentType)
  119. }
  120. func typecheckNull(arg *config.ActionArgument) error {
  121. if arg.RejectNull {
  122. return fmt.Errorf("null values are not allowed")
  123. }
  124. return nil
  125. }
  126. func typecheckChoice(value string, arg *config.ActionArgument) error {
  127. if arg.Entity != "" {
  128. return typecheckChoiceEntity(value, arg)
  129. }
  130. for _, choice := range arg.Choices {
  131. if value == choice.Value {
  132. return nil
  133. }
  134. }
  135. return fmt.Errorf("argument value is not one of the predefined choices")
  136. }
  137. func typecheckChoiceEntity(value string, arg *config.ActionArgument) error {
  138. templateChoice := arg.Choices[0].Value
  139. for _, ent := range sv.GetEntities(arg.Entity) {
  140. choice := sv.ReplaceEntityVars(ent, templateChoice)
  141. if value == choice {
  142. return nil
  143. }
  144. }
  145. return fmt.Errorf("argument value cannot be found in entities")
  146. }
  147. func typeSafetyCheckEmail(value string) error {
  148. _, err := mail.ParseAddress(value)
  149. log.Errorf("Email check: %v, %v", err, value)
  150. if err != nil {
  151. return err
  152. }
  153. return nil
  154. }
  155. func typeSafetyCheckDatetime(value string) error {
  156. _, err := time.Parse("2006-01-02T15:04:05", value)
  157. if err != nil {
  158. return err
  159. }
  160. return nil
  161. }
  162. func typeSafetyCheckRegex(name string, value string, argumentType string) error {
  163. pattern := ""
  164. if strings.HasPrefix(argumentType, "regex:") {
  165. pattern = strings.Replace(argumentType, "regex:", "", 1)
  166. } else {
  167. found := false
  168. pattern, found = typecheckRegex[argumentType]
  169. if !found {
  170. return fmt.Errorf("argument type not implemented %v for arg: %v", argumentType, name)
  171. }
  172. }
  173. matches, _ := regexp.MatchString(pattern, value)
  174. if !matches {
  175. log.WithFields(log.Fields{
  176. "name": name,
  177. "value": value,
  178. "type": argumentType,
  179. "pattern": pattern,
  180. }).Warn("Arg type check safety failure")
  181. return fmt.Errorf("invalid argument %v, doesn't match %v", name, argumentType)
  182. }
  183. return nil
  184. }
  185. func typeSafetyCheckUrl(value string) error {
  186. _, err := url.ParseRequestURI(value)
  187. return err
  188. }
  189. func mangleInvalidArgumentValues(req *ExecutionRequest) {
  190. for _, arg := range req.Action.Arguments {
  191. if arg.Type == "datetime" {
  192. mangleInvalidDatetimeValues(req, &arg)
  193. }
  194. mangleCheckboxValues(req, &arg)
  195. }
  196. }
  197. func mangleCheckboxValues(req *ExecutionRequest, arg *config.ActionArgument) {
  198. if arg.Type != "checkbox" {
  199. return
  200. }
  201. log.Infof("Checking checkbox values for argument %s in action %s", arg.Name, req.Action.Title)
  202. for i, _ := range arg.Choices {
  203. choice := &arg.Choices[i]
  204. if req.Arguments[arg.Name] == choice.Title {
  205. log.WithFields(log.Fields{
  206. "arg": arg.Name,
  207. "oldValue": req.Arguments[arg.Name],
  208. "newValue": choice.Value,
  209. "actionTitle": req.Action.Title,
  210. }).Infof("Mangled checkbox value")
  211. req.Arguments[arg.Name] = choice.Value
  212. }
  213. }
  214. }
  215. func mangleInvalidDatetimeValues(req *ExecutionRequest, arg *config.ActionArgument) {
  216. value, exists := req.Arguments[arg.Name]
  217. if !exists || value == "" {
  218. return
  219. }
  220. timestamp, err := time.Parse("2006-01-02T15:04", value)
  221. if err == nil {
  222. log.WithFields(log.Fields{
  223. "arg": arg.Name,
  224. "value": value,
  225. "actionTitle": req.Action.Title,
  226. }).Warnf("Mangled invalid datetime value without seconds to :00 seconds, this issue is commonly caused by Android browsers.")
  227. req.Arguments[arg.Name] = timestamp.Format("2006-01-02T15:04:05")
  228. }
  229. }
  230. func parseActionExec(values map[string]string, action *config.Action, entityPrefix string) ([]string, error) {
  231. for _, arg := range action.Arguments {
  232. argName := arg.Name
  233. argValue := values[argName]
  234. err := typecheckActionArgument(&arg, argValue, action)
  235. if err != nil {
  236. return nil, err
  237. }
  238. log.WithFields(log.Fields{
  239. "name": argName,
  240. "value": argValue,
  241. }).Debugf("Arg assigned")
  242. }
  243. parsedArgs := make([]string, len(action.Exec))
  244. for i, arg := range action.Exec {
  245. parsedArg, err := parseCommandForReplacements(arg, values)
  246. if err != nil {
  247. return nil, err
  248. }
  249. parsedArg = sv.ReplaceEntityVars(entityPrefix, parsedArg)
  250. parsedArgs[i] = parsedArg
  251. }
  252. redactedArgs := redactExecArgs(parsedArgs, action.Arguments, values)
  253. log.WithFields(log.Fields{
  254. "actionTitle": action.Title,
  255. "cmd": redactedArgs,
  256. }).Infof("Action parse args - After (Exec)")
  257. return parsedArgs, nil
  258. }
  259. //gocyclo:ignore
  260. func redactExecArgs(execArgs []string, arguments []config.ActionArgument, argumentValues map[string]string) []string {
  261. redacted := make([]string, len(execArgs))
  262. for i, arg := range execArgs {
  263. redacted[i] = redactShellCommand(arg, arguments, argumentValues)
  264. }
  265. return redacted
  266. }
  267. func checkShellArgumentSafety(action *config.Action) error {
  268. if action.Shell == "" {
  269. return nil
  270. }
  271. unsafeTypes := []string{"url", "email", "raw_string_multiline", "very_dangerous_raw_string"}
  272. for _, arg := range action.Arguments {
  273. for _, unsafeType := range unsafeTypes {
  274. if arg.Type == unsafeType {
  275. return fmt.Errorf("unsafe argument type '%s' cannot be used with Shell execution. Use 'exec' instead. See https://docs.olivetin.app/action_execution/shellvsexec.html", arg.Type)
  276. }
  277. }
  278. }
  279. return nil
  280. }